GivingThanks.constructor(): not setting CharityRegistry contract's address correctly
Summary
GivingThanks.constructor() assigns the CharityRegistry contract to msg.sender, not to the _registry sent as a parameter.
Vulnerability Details
When deploying the GivingThanks contract, the CharityRegistry public registry variable should be set to correctly point to the CharityRegistry contract. This is done by assigning the CharityRegistry address sent during deployment via the _registry parameter to the constructor. The constructor instead assigns the address msg.sender to the CharityRegistry contract.
Impact
Incorrect assignment of the CharityRegistry contract causes the entire GivingThanks to fail to function properly. It will revert every time someone wants to donate.
Tools Used
Manual review
Recommendations
Correct GivingThanks.constructor() as follows:
Lead Judging Commences
finding-bad-registry-set-at-construction
Likelyhood: High, the parameter is not well used and won't be set. Impact: Low, can be changed with the setter and no one will be able to donate to malicious charity.
Rewards breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.